Malvertising activity has continued to ramp up, but the tactics are remaining fairly constant. As with most nefarious cyber-activities, criminals often go back to the well when they hit on something that works. So, it’s shouldn’t be a huge surprise that hundreds of adult sites have been hit with a malvertising infection that could affect millions.
Malwarebytes said that it is picking up dozens of attacks on moderately popular porn portals. And because it’s porn, “moderate” still means millions of daily visitors.
Notable sites that were affected include: drtuber.com (55.3 million monthly visitors); nuvid.com (41.9M); eroprofile.com (14M); iceporn.com (6.9M); and xbabe.com (4.2M).
“The modus operandi is quite straightforward and facilitated by a compromised Flash advert directly hosted and served by AdXpansion, an adult ad network, which triggers a hidden Flash exploit loaded from a seemingly innocent XML file,” explained Malwarebytes researcher Jerome Segura, in a blog. “This technique has been used before in other self-sufficient Flash ad/exploit attacks.”
As soon as the rogue Flash advert is displayed in the browser (no click on it is required) it will attempt to load the exploit code.
This is the latest in a series of malvertising attacks using an unusual but familiar delivery method recently. Indeed, instead of relying on an exploit kit to compromise the victims’ machines, this technique simply relies on a disguised Flash advert that downloads its own exploit and payload.
“We previously encountered this attack pattern on two occasions, one for a Sparta Ad and another that involved RTB platform DirectRev,” Segura said. Last month, an attack featured various ad platforms leading to a booby trapped DirectRev ad, which served up the Cryptowall ransomware.
XXX sites have been a favorite target for criminals—largely because of the bigger bang for the buck, as it were, that such sites represent. A massive malvertising attack struck adult content portals back in September too, including top porn domain xHamster.com, which has close to half a billion monthly visitors.
This latest malvertising campaign has been running since at least Nov. 21. AdExpansion has been notified.
Photo © Nejron Photo